"This settlement is a strong and important result for those financial institutions that sustained losses as a result of the Target data breach, providing compensation well beyond what the card brand networks offered," according to a statement from Charles Zimmerman, lead counsel for the plaintiffs, and plaintiffs' co-counsel. "It also sets an important precedent that financial institutions should not always have to bear the burden of extensive costs related to merchant data breaches over which they have no control."

The proposed agreement comes after nearly two years of legal wrangling in the courts between Target and U.S. banking institutions involved in the settlement. Earlier this year, banking institutions' right to file a class action suit against Target had been upheld by the court (see Target Breach Suit Won't Be Dismissed and Why Target Could Owe Banks).

Eligible Institutions

The settlement, according to a statement from plaintiffs' attorneys, will apply to all U.S. banks and credit unions that issued debit and credit cards affected by Target's breach that did not previously release their claims, such as by agreeing to settlements offered by Visa or MasterCard (see Target Breach: MasterCard Weighs New Settlement).

Target in August agreed to pay Visa card issuers up to a reported $67 million to cover their breach-related expenses. In May, card issuers rejected Target's $19 million settlement proposal with MasterCard. But Seth Eisen, a spokesman for MasterCard, says the card brand reached a second settlement with Target in August for $19 million, although the details were never made public.

The newly announced proposed settlement payout of up to $39.4 million includes:

Up to $20.25 million that Target will pay directly to settlement class members, as well as for the notice and administration of the settlement.

A $19.1 million payment by Target to fund MasterCard's Account Data Compromise program related to the data breach.

If the settlement wins court approval, eligible banking institutions will be able to submit a claim form to receive a cash payment, which will be in addition to funds already received through Visa's Global Compromised Account Recovery program, MasterCard's Account Data Compromise programs and other card brand reimbursement programs.

Banking institutions that are part of the class action will receive a court-authorized notice and claim forms by mail or through the settlement website.

Payments will be made after the settlement is approved by the court and any appeals have been completed.

Precedent-Setting?

One legal expert, who asked not to be named, says Target's pending settlement with the banks won't necessarily pave the way for similar settlements with other breached retailers.

That's because Minnesota, where Target is based, has a unique statute, the Minnesota Plastic Card Security Act, that requires breached merchants to reimburse card-issuing institutions for expenses and losses they suffered as a result of the breach.

District Judge Paul Magnuson has applied that Minnesota statute to all claims made in the class action suit by banking institutions impacted by the breach, regardless of where those institutions are located, the expert says. "This statue drove this case, and ultimately, after several favorable rulings based on it, the settlement."

In his Dec. 2 order, Magnuson reiterated that the banks' claims that Target violated the Minnesota statute were valid.

But attorney Chris Pierson, chief security officer at invoicing and payments provider Viewpost, believes the Target settlement with the banks is likely to have a far-reaching impact, despite the implications of the Minnesota statute.

"This settlement indicates that banks and others in the payment ecosystem are going to try to make themselves whole after breaches affecting their customers and cards," Pierson says. "This settlement is more significant because the smaller financial institutions have indicated they will not approve settlements for financial institutions that are not addressing their unique needs and financial harms."

About the Author

A veteran journalist with more than 20 years' experience, Kitten has covered the financial sector for the last 13 years. Before joining Information Security Media Group in 2010, where she now serves as director of global events content and executive editor of BankInfoSecurity and CUInfoSecurity, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.in, you agree to our use of cookies.